From: Alex Kosowski <alex.kosowski_at_oracle.com>
Date: Thu, 06 Oct 2016 20:41:49 -0400

-------- Original Message --------
Subject: EG F2F minutes from JavaOne 2016
Date: Thu, 6 Oct 2016 15:02:11 -0700
From: Kk Sriramadhesikan <kk.sriramadhesikan_at_oracle.com>
Reply-To: jsr375-experts-request_at_javaee-security-spec.java.net
To: jsr375-experts-request_at_javaee-security-spec.java.net
CC: Bill Shannon <bill.shannon_at_oracle.com>, Linda DeMichiel
<linda.demichiel_at_oracle.com>, David Delabassee
<david.delabassee_at_oracle.com>



Folks
I have been meaning to send the minutes from the EG F2F when we met at
JavaOne 2016. See below.

I looked at the wiki home
<https://java.net/projects/javaee-security-spec/pages/Home> but it was
not obvious where prior meeting minutes were archived, hence this email.
If it needs to be posted somewhere else, let me know where.

I’ve posted the slides from the session here
<https://java.net/projects/javaee-security-spec/downloads/download/CON7978_Sriramadhesikan_JavaOne2016_SecurityForJavaEE8AndTheCloud.pdf> as
well.

I wanted to thank Ivar Grimstad, Werner Keil for the time they took to
make it in person for both the F2F and the session. It was a pleasure
talking to them and several others.

kk

JSR375 EG F2F Oct/21 1230-1330 PT.

Attendees: KK.Sriramadhesikan, Ivar.Grimstad, Werner.Keil (first 10
minutes), Alex.Kosowski, Will.Hopkins (on the phone, sporadically),
Jeff.Tancill (Dev Manager for the Security Team at Oracle, on the phone,
sporadically), Ed.Bratt.

 1. There was agreement that
     1. focusing on sorting out identity related aspects outlined in
        the presentation, has to be done in 375 for Java EE8.
     2. the other aspects could come later in Java EE 9 given the
        aggressive timelines (Java EE 8 in 2017 and Java EE 9 in 2018)
 2. Alex raised
     1. if we can eliminate EJB and JMS from Security Work.
     2. Simplifying Jaspic so it can work with all containers, would be
        a necessary first step. Reviewing the work Arjan has done in
        comparing the various containers would be a useful stepping
        stone. e.g. Can we require JASPIC be profiled for 375?
 3. Will raised that a Java abstraction of OAuth Resources, Clients and
    Resource Owners is necessary.
 4. There was a request to try and standardize a way to add users (I
    thought that was from Ivar).
     1. I am not sure how viable that is given that identity systems
        typically manage the administration of users outside apps. But
        this can certainly be debated.
 5. There was also a request to start holding regular meetings -- weekly
    or bi-weekly, but regular.